produpd.exe

produpd.exe

Vested Development, Inc

The executable produpd.exe has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘produpd’. While running, it connects to the Internet address interviewder.net on port 8000.
Publisher:
Vested Development, Inc

Product:
produpd.exe

Version:
2.2.1.23

MD5:
299c1a7062b3dbba42731f971ca7635a

SHA-1:
529a35554292695eaa155a7ed8ca637750de2777

SHA-256:
51731f558c6d48a0a35f7d47f7304941782696dc7be6bc68fee5689029568a45

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
12/24/2024 2:11:01 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Glupteba.AU trojan
6.3.12010.0

F-Secure
Variant.Zusy.214304
5.15.154

File size:
511.5 KB (523,776 bytes)

Product version:
2.2.0.2

Copyright:
Copyright © 2016

Original file name:
produpd.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe

File PE Metadata
Compilation timestamp:
2/18/2017 1:01:09 AM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

Entry address:
0x1DC21

Entry point:
E8, F5, 09, 00, 00, E9, 8E, FE, FF, FF, FF, 25, 84, 72, 45, 00, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 8B, 4D, F0, 33, CD, F2, E8, 6E, F8, FF, FF, F2, E9, DA, FF, FF, FF, 8B, 4D, EC, 33, CD, F2, E8, 5D, F8, FF, FF, F2, E9, C9, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 78, 20, 47, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00...
 
[+]

Code size:
340.5 KB (348,672 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
produpd

Command:
"C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe" \20506


The executing file has been seen to make the following network communications in live environments.

TCP (WHOIS):
Connects to whois-casa.localnet  (213.248.242.105:43)

TCP (HTTP):
Connects to server-54-230-15-250.ams1.r.cloudfront.net  (54.230.15.250:80)

TCP (WHOIS):
Connects to mailrelay.48.website.ws  (64.70.19.48:43)

TCP (HTTP SSL):
Connects to server-54-192-98-169.arn1.r.cloudfront.net  (54.192.98.169:443)

TCP (HTTP SSL):
Connects to server-54-192-98-163.arn1.r.cloudfront.net  (54.192.98.163:443)

TCP:
Connects to interviewder.net  (91.203.5.26:8000)

TCP (WHOIS):
Connects to whois.sjl.rightside.co  (198.147.209.137:43)

TCP (WHOIS):
Connects to whois.sea1.verisign.com  (199.7.74.74:43)

Remove produpd.exe - Powered by Reason Core Security